Dean Ball on Claude Mythos: The US Just Created an Informal AI Licensing Regime Without Saying So
AI policy analyst Dean Ball says the White House blocking Mythos is 'a licensing regime — informal, highly improvised, but a licensing regime nonetheless.'
The US Government Just Invented an AI Licensing Regime Without Passing a Single Law
Dean Ball, an AI policy analyst with close ties to how Washington actually makes decisions, looked at the White House blocking Anthropic’s Mythos expansion and called it what it is: “The government restricting the release of AI models is a type of licensing regime. It’s an informal, highly improvised licensing regime, but a licensing regime nonetheless.”
That sentence should stop you cold. No legislation. No formal rulemaking. No public comment period. Just an administration official telling a private company it cannot expand access to its own product — and that action constituting, in practice, a licensing regime for AI.
This is new territory. And most of the coverage has missed what’s actually interesting about it.
What Dean Ball Actually Said
The specific facts: Anthropic wanted to expand Claude Mythos preview access from roughly 50 organizations to 120. The White House said no. Administration officials cited two reasons — national security concerns, and doubt that Anthropic had enough compute to serve both the expanded list and the federal government without degrading the government’s access.
Anthropic disputes the compute claim. They’ve signed deals with Amazon, Google, and Broadcom. But those buildouts take time, and the government apparently wasn’t willing to wait on Anthropic’s assurances.
Seven tools to build an app. Or just Remy.
Editor, preview, AI agents, deploy — all in one tab. Nothing to install.
Ball’s framing is precise: this is “the very first case that we know of of the US government restricting rollout of a new AI model based on policy considerations.” Not a court order. Not a statute. An informal veto from the executive branch over a company’s product distribution decision.
That’s a licensing regime. It just doesn’t look like one yet.
Why This Is Non-Obvious
Most people think of licensing as something formal. The FDA approves drugs. The FCC licenses spectrum. The NRC regulates nuclear material. These are statutory frameworks with defined criteria, appeals processes, and public accountability.
What happened with Mythos is none of that. There’s no law that gives the White House authority to block an AI company from adding customers. There’s no defined standard for what makes a model too dangerous to distribute. There’s no process Anthropic could follow to get a different answer.
And yet the effect is identical to a licensing decision: a government body determined that a private company could not distribute its product to additional parties, and the company complied.
The reason this is non-obvious is that it doesn’t feel like regulation. It feels like a phone call. But the substance — government control over who gets access to a technology — is the same.
Ball’s conclusion is worth sitting with: “I cannot emphasize enough how much the training wheels have come off on AI policy. The trial runs are over.”
The Capabilities That Made This Happen
To understand why the government cares enough to make that call, you need to understand what Mythos actually does.
The UK’s AI Security Institute runs a benchmark called the “Last Ones” — a 32-step simulated corporate network attack. AISI estimates a human expert would need roughly 20 hours to complete it end-to-end. Claude Mythos completed it in 3 out of 10 attempts. GPT-5.5 subsequently completed it in 2 out of 10 attempts, becoming the second model to cross that threshold.
These aren’t abstract benchmark numbers. The AISI is a government-backed evaluation body. When they publish results like this, central banks pay attention. The Federal Reserve reportedly held an emergency meeting after seeing what Mythos could do. These institutions aren’t on Anthropic’s PR team.
Mythos also found a 27-year-old vulnerability in OpenBSD — a codebase that’s been scrutinized by security researchers for nearly three decades. The vulnerability was just sitting there, undetected, until a model found it.
Meanwhile, GPT-5.5 solved a reverse-engineering challenge in 10 minutes and 22 seconds at a cost of $1.73 in API usage. The same task would take a human expert approximately 12 hours. The cost curve here is the thing that should alarm you: less than two dollars to find an exploit that previously required a skilled professional’s full working day.
GPT-5.5 scored 71.4% on expert-level cyber tasks; Claude Mythos scored 68.6%. They’re close. And the Pentagon has signed AI agreements with eight companies — SpaceX, OpenAI, Google, Nvidia, Reflection, Microsoft, AWS, and Oracle — with Anthropic notably absent from that list.
For more on what Mythos is and how it fits into Anthropic’s model hierarchy, Claude Mythos sits above Opus in Anthropic’s size hierarchy — Haiku, Sonnet, Opus, and then Mythos as a new class entirely. It’s not an incremental update. It’s a different tier of compute and capability.
Plans first. Then code.
Remy writes the spec, manages the build, and ships the app.
The Dual-Use Problem Has No Clean Solution
Here’s the tension that makes this genuinely hard. The same capability that lets Mythos find a 27-year-old OpenBSD bug also lets it find bugs that haven’t been patched yet. The model doesn’t distinguish between defenders and attackers. It just finds vulnerabilities.
Anthropic’s position is that getting Mythos into the hands of more “defenders” — security teams, financial institutions, critical infrastructure operators — is how you improve the overall security posture. More defenders with better tools means faster patching, better detection, stronger systems.
The White House’s position is that wider access creates more attack surface, and that the government’s own ability to use Mythos shouldn’t be degraded by commercial demand.
David Sacks, a venture capitalist and Trump administration adviser, offered a counter-framing worth considering: Mythos “is not magic, not a doomsday device.” He expects all leading Chinese models to reach the same capability level within six months. If that’s true, restricting Mythos access doesn’t eliminate the threat — it just delays it while potentially disadvantaging American defenders.
Ball makes a similar point. These capabilities will diffuse over the next 6 to 18 months, whether from Western labs or from open-source Chinese models. A dam against a tsunami, as he put it. The informal licensing regime might be the right short-term call and still be insufficient as a long-term strategy.
The cybersecurity capability gap between Mythos and earlier Claude models is substantial enough that this isn’t a hypothetical concern — it’s a real discontinuity in what AI can do to enterprise networks.
What a Real Licensing Regime Would Require
If the government is going to exercise licensing-like authority over AI model distribution, doing it informally is the worst possible approach. Here’s why.
Informal licensing is arbitrary. There’s no standard for what makes a model too dangerous to distribute. The decision is made by whoever happens to be in the relevant position at the relevant moment, based on criteria that aren’t published and can’t be appealed.
Informal licensing is inconsistent. OpenAI is rolling out GPT-5.5 cyber to its list of critical defenders right now. GPT-5.5 completed the same AISI benchmark that triggered the Mythos restrictions. If the government’s concern is the capability, why is one model being restricted while another with nearly identical benchmark scores is being distributed?
Informal licensing creates perverse incentives. If the path to government approval runs through relationships and trust rather than technical criteria, companies will optimize for relationships. That’s not how you get good security outcomes.
Ball argues that technical safeguards — not just access restrictions — are the right answer. The logic is that if you can make a model safe enough for defenders to use without creating unacceptable offensive risk, you can actually accelerate both AI development and security improvement simultaneously. Technical AI safety becomes accelerationist, in his framing, if it lets defenders safely use stronger systems.
That’s a more sophisticated position than either “restrict everything” or “release everything.” But it requires actual criteria, actual evaluation frameworks, and actual accountability — none of which exist right now.
The Compute Dimension Nobody Is Talking About
There’s a second layer to this story that’s gotten less attention than the security narrative.
Mythos is the largest model class Anthropic has ever released publicly. In Anthropic’s hierarchy — Haiku, Sonnet, Opus, Mythos — it sits above everything that came before. Running it at scale requires substantially more compute than running Opus or Sonnet. Anthropic’s compute deals with Amazon, Google, and Broadcom are real, but the buildout takes time.
If Mythos demand scales faster than available compute, someone’s access gets prioritized over someone else’s. The federal government, apparently, does not want to be the party standing in line.
This is a preview of a broader dynamic. As AI models become critical infrastructure — not SaaS, not software, but something closer to controlled national infrastructure — the question of who gets priority access during scarcity becomes a policy question, not just a business question. The government is asserting, informally, that it gets to answer that question.
Anthropic’s compute shortage is a real constraint that shapes everything from model availability to the government’s willingness to trust Anthropic’s assurances. You can’t separate the policy story from the infrastructure story.
What This Means If You’re Building on AI
If you’re building applications that depend on frontier AI models, the Mythos situation is a signal worth taking seriously.
The models you’re building on are increasingly being treated as controlled infrastructure. That doesn’t mean access will be cut off tomorrow. But it does mean the terms of access are subject to change based on factors that have nothing to do with your use case — geopolitics, compute scarcity, informal government pressure, trust relationships between labs and administrations.
This is one reason why model-agnostic infrastructure matters. If your application is tightly coupled to a single model from a single lab, you’re exposed to exactly this kind of disruption. Platforms like MindStudio handle this by giving you access to 200+ models and 1,000+ integrations through a single builder — so when the landscape shifts, you’re not rewriting your stack.
The same logic applies at the application layer. When you’re building tools that need to adapt as model availability changes, having your application logic live in a spec rather than tangled through model-specific API calls is increasingly valuable. Remy takes this approach: you write your application as an annotated spec — a markdown document where intent and precision coexist — and it compiles that into a complete TypeScript stack. The spec is the source of truth; the underlying model calls are derived output that can be updated without touching the spec.
The Precedent Problem
Here’s the thing about informal precedents: they harden.
The first time the government informally blocked an AI model rollout, it was a phone call. The second time, it’ll be expected. The third time, it’ll be standard practice. By the time anyone tries to formalize it, the informal regime will already have shaped the industry’s behavior for years.
Remy is new. The platform isn't.
Remy is the latest expression of years of platform work. Not a hastily wrapped LLM.
That’s how a lot of regulation actually works. The formal rules catch up to informal practice. The question is whether the informal practice that’s hardening is the right one.
Right now, the practice is: the government can veto AI model distribution decisions based on unpublished criteria, with no appeals process, applied inconsistently across labs. That’s a bad foundation for a licensing regime, even if the underlying instinct — that some AI capabilities require careful distribution — is correct.
Ball’s point isn’t that the White House made the wrong call on Mythos specifically. It’s that making the right call informally doesn’t build the right system. And the system matters more than any individual decision.
The training wheels are off. The question is whether anyone is going to build a real bicycle, or whether we’re going to keep improvising.
